Virus Encyption

1
Virus Encyption

• CS 450
• Joshua Bostic

2
topics

• Encryption as a deterent to virus scans.
• History of polymorphic viruses.
• Use of encryption by viruses.

3
Why encrypt the code?

• The ability of a virus to change it's code/form
  is known as polymorphism.
• Changing the code prevents anti-virus programs
  from matching the encryped virus to well known
  patterns for that virus.

4
How to find viruses

• If you find the code to decrypt the virus then
  you can remove the virus.
• The solution is to make the decrypt code
  polymorphic as well.
• To do this the virus can scatter different parts
  of it's code around by using jumps.

5
Repositioning of code
Remainder of virus code
Portion of virus code and a jump to end of
program code
Program code
6
So now what?

• Encrypted polymorphic viruses are capable of
  fooling anti-virus for only so long.
• After enough versions of the decryption code are
  seen virus scanners can detect in general what a
  virus will look like.
• This is done thanks to heuristics.

7
Heuristics

• Emulation and analysis.
• Emulation tests the questionable code in a
  virtual machine. If the code acts in a malicious
  way it's considered a virus.
• Analysis views the code and determines its
  intent.
• Benefit can find unknown variants.
• Con can take a long time and can produce false
  positives.

8
Spreading

• Speed of mutation can also be controlled.
• Encryption changes with every new infection, but
  this can be changed by how fast the mutation is.
• If the mutation is slow then it makes it harder
  to determine what different combinations of the
  code are still the same virus.

9
Current example

• Virut virus
• Infects .exe and .src files.
• Each time it spreads it mutates.
• Opens a backdoor and connects to an internet
  relay chat server. This allows someone to
  remotely download malware onto the computer.

10
Early examples

• The dark avenger was one of the first polymorphic
  viruses.
• First noticed in the early 1990's.
• Would add extra code to .com and .exe files in
  MS-DOS.
• When the infected program ran 16 times the virus
  would randomly overwrite a section of the hard
  drive.
• Was created in Bulgaria, but the creater is still
  unknown.

11
Inventor of polymorphism

• Fred Cohen invented polymorphism for viruses.
• Also credited with being the first to define the
  term computer virus.
• Currently works on virus defense techniques.

12
Other uses for encryption

• virus can cause files to be encrypted.
• One virus that is known to do this is gpcode.
• Gpcode encrypts some of your data and then offers
  to decrypt your data once you've paid a ransom.
• Gpcode uses 1024 bit RSA encryption.
• Encrypts files that end with doc, txt, pdf, xls,
  jpg, png, and others.

13
Work arounds

• Kaspersky labs (anti-virus company) suggests
  using photorec to recover the encrypted data.
• Photorec is freeware.
• Only problem is that if you turned the computer
  off after your computer was infected then
  photorec won't work.

14
Full fixes

• Currently there is no known fix to the problem.
• Kaspersky is trying to find the proper key to
  decrypt the files, but nothing prevents the
  creater from changing the key.
• Kaspersky is also trying to find a solution to
  the virus as well.

15
Conclusion

• Use of encryption with polymorphism.
• Effects of polymorphism.
• Virus encryption.

16
Questions?
17
resources

• http//vx.netlux.org/lib/static/vdat/tumisc76.htm
• Security in Computing
• http//vx.org.ua/lib/static/vdat/ephearto.htm
• http//www.infoworld.com/d/security-central/kasper
  sky-workaround-encryption-virus-comes-catch-465
• http//voices.washingtonpost.com/securityfix/2008/
  06/ransomware_encrypts_victim_fil.html
• http//www.cgsecurity.org/wiki/PhotoRec
• http//all.net/resume/bio.html
• http//it.toolbox.com/wiki/index.php/Metamorphic_C
  ode